Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mac802154: check local interfaces before deleting sdata list<br /> <br /> syzkaller reported a corrupted list in ieee802154_if_remove. [1]<br /> <br /> Remove an IEEE 802.15.4 network interface after unregister an IEEE 802.15.4<br /> hardware device from the system.<br /> <br /> CPU0 CPU1<br /> ==== ====<br /> genl_family_rcv_msg_doit ieee802154_unregister_hw<br /> ieee802154_del_iface ieee802154_remove_interfaces<br /> rdev_del_virtual_intf_deprecated list_del(&amp;sdata-&gt;list)<br /> ieee802154_if_remove<br /> list_del_rcu<br /> <br /> The net device has been unregistered, since the rcu grace period,<br /> unregistration must be run before ieee802154_if_remove.<br /> <br /> To avoid this issue, add a check for local-&gt;interfaces before deleting<br /> sdata list.<br /> <br /> [1]<br /> kernel BUG at lib/list_debug.c:58!<br /> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> CPU: 0 UID: 0 PID: 6277 Comm: syz-executor157 Not tainted 6.12.0-rc6-syzkaller-00005-g557329bcecc2 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024<br /> RIP: 0010:__list_del_entry_valid_or_report+0xf4/0x140 lib/list_debug.c:56<br /> Code: e8 a1 7e 00 07 90 0f 0b 48 c7 c7 e0 37 60 8c 4c 89 fe e8 8f 7e 00 07 90 0f 0b 48 c7 c7 40 38 60 8c 4c 89 fe e8 7d 7e 00 07 90 0b 48 c7 c7 a0 38 60 8c 4c 89 fe e8 6b 7e 00 07 90 0f 0b 48 c7<br /> RSP: 0018:ffffc9000490f3d0 EFLAGS: 00010246<br /> RAX: 000000000000004e RBX: dead000000000122 RCX: d211eee56bb28d00<br /> RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000<br /> RBP: ffff88805b278dd8 R08: ffffffff8174a12c R09: 1ffffffff2852f0d<br /> R10: dffffc0000000000 R11: fffffbfff2852f0e R12: dffffc0000000000<br /> R13: dffffc0000000000 R14: dead000000000100 R15: ffff88805b278cc0<br /> FS: 0000555572f94380(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 000056262e4a3000 CR3: 0000000078496000 CR4: 00000000003526f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> __list_del_entry_valid include/linux/list.h:124 [inline]<br /> __list_del_entry include/linux/list.h:215 [inline]<br /> list_del_rcu include/linux/rculist.h:157 [inline]<br /> ieee802154_if_remove+0x86/0x1e0 net/mac802154/iface.c:687<br /> rdev_del_virtual_intf_deprecated net/ieee802154/rdev-ops.h:24 [inline]<br /> ieee802154_del_iface+0x2c0/0x5c0 net/ieee802154/nl-phy.c:323<br /> genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]<br /> genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]<br /> genl_rcv_msg+0xb14/0xec0 net/netlink/genetlink.c:1210<br /> netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2551<br /> genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219<br /> netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]<br /> netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1357<br /> netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1901<br /> sock_sendmsg_nosec net/socket.c:729 [inline]<br /> __sock_sendmsg+0x221/0x270 net/socket.c:744<br /> ____sys_sendmsg+0x52a/0x7e0 net/socket.c:2607<br /> ___sys_sendmsg net/socket.c:2661 [inline]<br /> __sys_sendmsg+0x292/0x380 net/socket.c:2690<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]<br /> <br /> Recent reports have shown how we sometimes call vsock_*_has_data()<br /> when a vsock socket has been de-assigned from a transport (see attached<br /> links), but we shouldn&amp;#39;t.<br /> <br /> Previous commits should have solved the real problems, but we may have<br /> more in the future, so to avoid null-ptr-deref, we can return 0<br /> (no space, no data available) but with a warning.<br /> <br /> This way the code should continue to run in a nearly consistent state<br /> and have a warning that allows us to debug future problems.

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.

The The AI Infographic Maker plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.9.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

The eHive Objects Image Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;ehive_objects_image_grid&amp;#39; shortcode in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin&amp;#39;s &amp;#39;bf_new_submission_link&amp;#39; shortcode in all versions up to, and including, 2.8.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.9.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same &amp;#39;sc_attrs&amp;#39; parameter is vulnerable to Reflected Cross-Site Scripting as well.

Cross-Site Request Forgery (CSRF) vulnerability in Overt Software Solutions LTD EZPZ SAML SP Single Sign On (SSO) allows Cross Site Request Forgery. This issue affects EZPZ SAML SP Single Sign On (SSO): from n/a through 1.2.5.

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Reflected XSS.This issue affects RegistrationMagic: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Marcel Pol Gwolle Guestbook gwolle-gb allows Reflected XSS.This issue affects Gwolle Guestbook: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Reflected XSS.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through

Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in algol.plus Advanced Dynamic Pricing for WooCommerce advanced-dynamic-pricing-for-woocommerce allows Reflected XSS.This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through